892 Commits

Author SHA1 Message Date
Zuul
ab3d343794 Merge "Use public interface for Magnum client and trustee Keystone interface" 2020-07-01 15:39:46 +00:00
Bharat Kunwar
78bb594264 Use public interface for Magnum client and trustee Keystone interface
While all other clients should use internalURL, the Magnum client itself
and Keystone interface for trustee credentials should be publicly
accessible (upstream default when no config is specified) since
instances need to be able to reach them.

Closes-Bug: #1885420
Change-Id: I74359cec7147a80db24eb4aa4156c35d31a026bf
2020-07-01 08:45:12 +00:00
Radosław Piliszek
852c7a32c3 Fix the Elasticsearch Curator cron schedule run
There were two issues with it. Lack of /usr/local/bin in PATH
for CentOS and wrong crontab path for Ubuntu/Debian.
This patch mirrors how it is handled in keystone.

Change-Id: Ib54b261e12c409d66b792648807646015826e83c
Closes-Bug: #1885732
2020-06-30 16:39:55 +02:00
Zuul
6b582eae98 Merge "Fix etcd protocol configuration" 2020-06-29 11:20:27 +00:00
James Kirsch
a158432223 Fix etcd protocol configuration
The etcd service protocol is currently configured with internal_protocol.
The etcd service is not load balanced by a HAProxy container, so
there is no proxy layer to do TLS termination when internal_protocol
is configured to be "https".

Until the etcd service is configured to deploy with native TLS
termination, the etcd uses should be independent of
internal_protocol, and "http" by default.

Change-Id: I730c02331514244e44004aa06e9399c01264c65d
Closes-Bug: 1884137
2020-06-27 07:37:36 +00:00
Zuul
0673e98539 Merge "Verify TLS by default for Kibana to Elasticsearch" 2020-06-26 21:34:31 +00:00
Zuul
943c8670da Merge "Support CA certificate for fluentd & Elasticsearch" 2020-06-26 21:34:29 +00:00
Zuul
b47c912a3a Merge "Fix Magnum trust operations in multi-region clouds" 2020-06-26 17:07:32 +00:00
Zuul
74b4afdccc Merge "Use internalURL endpoint_type for all clients used by Magnum" 2020-06-26 16:48:44 +00:00
Zuul
6f26907a0a Merge "openvswitch: Use ansible_hostname for system-id" 2020-06-26 08:46:14 +00:00
Zuul
a1c47c9aa3 Merge "Change neutron-ovs-agent deploy only with manila generic backend" 2020-06-25 13:49:14 +00:00
Michal Nasiadka
cecdb6a175 openvswitch: Use ansible_hostname for system-id
Currently openvswitch sets system-id based on inventory_hostname, but when
Ansible inventory contains ip addresses - then it will only take first ip
octet - resulting in multiple OVN chassis being named i.e. "10".
Then Neutron and OVN have problems functioning, because a chassis named "10"
will be created and deleted multiple times per second - this ends up in
ovsdb and neutron-server processes using up to 100% CPU.

Adding openvswitch role to ovn CI job triggers.

Change-Id: Id22eb3e74867230da02543abd93234a5fb12b31d
Closes-Bug: #1884734
2020-06-25 14:20:08 +02:00
Zuul
4b2d443e1f Merge "Improve error reporting in password utilities" 2020-06-25 10:36:14 +00:00
Mark Goddard
e91fd969ac Verify TLS by default for Kibana to Elasticsearch
Currently, if internal TLS communication is enabled, Kibana to
Elasticsearch communication is unverified. This is because we set
elasticsearch.ssl.verificationMode to 'none' by default (via
kibana_elasticsearch_ssl_verify). This is poor a security
posture.

This change changes the default value of
'kibana_elasticsearch_ssl_verify' to 'true'.

Change-Id: Ie4fa8e3a60d69cf5c4bdd975030c92be8113ffb1
Closes-Bug: #1885110
2020-06-25 10:35:18 +01:00
Mark Goddard
31f3f84859 Support CA certificate for fluentd & Elasticsearch
Currently there is no way to configure a CA certificate bundle file for
fluentd to Elasticsearch communication. This change adds a new variable,
'fluentd_elasticsearch_cacert' with a default value set to the value of
'openstack_cacert.

Closes-Bug: #1885109

Change-Id: I5bbf55a4dd4ccce9fa2635cee720139c088268e3
2020-06-25 10:35:14 +01:00
Michal Nasiadka
c4c3ceca31 Change neutron-ovs-agent deploy only with manila generic backend
Change openvswitch & neutron-openvswitch-agent to deploy only
with manila generic backend - which uses ovs-vsctl functionality
when configuring share servers.

Change-Id: I124108cda62b38ea498612ff9ddb07d6122a330c
Closes-Bug: #1884939
2020-06-25 09:10:53 +00:00
Bharat Kunwar
eb24945d75 Use internalURL endpoint_type for all clients used by Magnum
Magnum, Cinder and Octavia clients in Magnum now use endpoint_type of
internalURL by default consistent with other clients also used by the
conductor. Additionally, they also use the globally defined
`openstack_region_name` for region_name.

Closes-Bug: #1885096

Change-Id: Ibec511013760cc4f681a2ec1b769b532be3daf2d
2020-06-25 09:36:06 +01:00
Pierre Riteau
dda9a1465a Fix Magnum trust operations in multi-region clouds
Change-Id: I7214ef38ea529f7585d7a0c75b8b0498ea4c58a2
Closes-Bug: #1885078
2020-06-25 08:23:30 +02:00
Pierre Riteau
866784c77a Enable ZooKeeper when Storm is enabled
ZooKeeper is a dependency of Apache Storm.

TrivialFix

Change-Id: Icf952be2e0b53f2e82e8ce18a48bcfa100b41cd9
2020-06-24 14:56:33 +02:00
gugug
f13847a5a2 Remove the congress roles since it has been retired
more info: https://review.opendev.org/#/c/721733/

Depends-On: I561ead226f714d98c8e06e6027715a64c3a8e47e
Depends-On: I21c9ab9820f78cf76adf11c5f0591c60f76372a8
Change-Id: Ic740d090211ee331b374a6dac69dfde466df7200
Co-Authored-By: jacky06 <zhang.min@99cloud.net>
2020-06-20 01:51:03 +00:00
Zuul
e744b9d510 Merge "Remove mongodb integration" 2020-06-19 13:50:04 +00:00
Zuul
26c7824055 Merge "Adding support for multiple globals files" 2020-06-19 13:48:37 +00:00
Zuul
013d90af7f Merge "Add support of octavia dev mod" 2020-06-19 13:43:03 +00:00
gugug
66ea6e099f Remove mongodb integration
more info: a6c97d7284

Change-Id: I778d472cc7f6ca19852482a3e309d793973d75a6
Co-Authored-By: jacky06 <zhang.min@99cloud.net>
2020-06-19 09:07:23 +08:00
Zuul
e6584532d2 Merge "Remove mongodb supported for panko backend" 2020-06-18 20:09:23 +00:00
Konstantinos Mouzakitis
f6d8c0d481 Adding support for multiple globals files
Added a spec file for this blueprint.
Changed the kolla-ansible script to accept more than one
globals.yml file. That will still be the main one but operators
will be able to create more, under the /etc/kolla/globals.d
directory.
Also added some paragraphs in the quickstart documentation
about this.
Finally, Adding a release note

Change-Id: I34eb91d0e2ed80694594b8fc6801cf8ad77da754
Implements: blueprint multiple-globals-files
2020-06-18 17:33:51 +00:00
wu.chunyang
36b93dd6e2 Add support of octavia dev mod
Similarly to other OpenStack services octavia should support
kolla dev mod for debugging.

Change-Id: I81b79dc0a4c5e40a67af7120a4109dfe11098a97
2020-06-18 22:27:23 +08:00
Zuul
e2e77ccf01 Merge "Switch octavia to use service project in service_auth" 2020-06-17 17:46:27 +00:00
Zuul
99936f1215 Merge "Remove max count from Cinder online schema migration" 2020-06-17 17:30:32 +00:00
Zuul
1e35ef5a26 Merge "Replace internal and external VIP CA with root CA" 2020-06-16 16:01:25 +00:00
Xing Zhang
c2037885e7 Switch octavia to use service project in service_auth
Recently a patch [1] was merged to stop adding the octavia user to the
admin project, and remove it on upgrade. However, the octavia
configuration was not updated to use the service project, causing load
balancer creation to fail.

There is also an issue for existing deployments in simply switching to
the service project. While existing load balancers appear to continue to
work, creating new load balancers fails due to the security group
belonging to the admin project. At a minimum, the deployer needs to
create a security group in the service project, and update
'octavia_amp_secgroup_list' to match its ID. Ideally the flavor and
network would also be recreated in the service project, although this
does not seem to impact operation and will result in downtime for
existing Amphorae.

This change adds a new variable, 'octavia_service_auth_project', that
can be used to set the project. The default in Ussuri is 'service',
switching to the new behaviour. For backports of this patch it should be
switched to 'admin' to maintain compatibility.

If a deployer sets 'octavia_service_auth_project' to 'admin', the
octavia user will be assigned the admin role in the admin project, as
was done previously.

Closes-Bug: #1882643
Related-Bug: #1873176

[1] https://review.opendev.org/720243/

Co-Authored-By: Mark Goddard <mark@stackhpc.com>

Change-Id: I1efd0154ebaee69373ae5bccd391ee9c68d09b30
2020-06-16 12:57:56 +01:00
Zuul
e7f39d31e9 Merge "Generate Root CA for Self-Signed Certificates" 2020-06-16 11:12:26 +00:00
James Kirsch
e3cd02eda4 Replace internal and external VIP CA with root CA
Replaced "kolla_external_fqdn_cacert" and "kolla_internal_fqdn_cacert" with
"kolla_admin_openrc_cacert". OS_CACERT is now set to the value of
"kolla_admin_openrc_cacert" in the generated admin-openrc.sh file.

Change-Id: If195d5402579cee9a14b91f63f5fde84eb84cccf
Partially-Implements: blueprint add-ssl-internal-network
Depends-On: https://review.opendev.org/#/c/731344/
2020-06-16 11:46:34 +01:00
Zuul
1f7a910b15 Merge "Remove chrony package if containerized chrony is enabled" 2020-06-15 18:48:06 +00:00
James Kirsch
a982d3acbb Generate Root CA for Self-Signed Certificates
Update the certificate generation task to create a root CA for the
self-signed certificates. The internal and external facing certificates
are then generated using the root CA.

Updated openstack_cacert to use system CA trust store in CI tests
certificate by default.

Change-Id: I6c2adff7d0128146cf086103ff6060b0dcefa37b
Partially-Implements: blueprint add-ssl-internal-network
2020-06-15 10:29:51 -07:00
Mark Goddard
55c0787d00 Remove max count from Cinder online schema migration
During an upgrade from Stein to Train, Kolla Ansible fails while running
TASK [cinder : Running Cinder online schema migration]

This is because the `--max_count 10` option is used, which returns 1
while migrations are processed. According to the upgrade documentation,
the command should be rerun while the exit status is 1:
https://docs.openstack.org/cinder/train/upgrade.html

This issue was introduced by a change to the image [1] which fixed a bug
in the way that the max count was interpreted, but exposed an issue in
using the max count.

This change fixes the issue by ceasing to pass MAX_NUMBER, which will
cause all migrations to occur in a single pass.

[1] https://review.opendev.org/#/c/712055

Change-Id: Ia786d037f5484f18294188639c956d4ed5ffbc2a
Closes-Bug: #1880753
2020-06-15 16:41:04 +00:00
gugug
7ae99328c4 Remove mongodb supported for panko backend
more info: a6c97d7284

Change-Id: I44850d6bb77fec33aa93e1b523eadfe0ef9483a8
Co-Authored-By: jacky06 <zhang.min@99cloud.net>
2020-06-15 22:23:09 +08:00
Michal Arbet
3d747b7200 Remove chrony package if containerized chrony is enabled
This patch is removing chrony package
from docker host when containerized chrony is enabled.
It is also fixing issue with chrony container running
under Ubuntu docker host as noted below.

+ exec /usr/sbin/chronyd -d -f /etc/chrony/chrony.conf
2020-06-08T08:19:09Z chronyd version 3.4 starting (+CMDMON +NTP +REFCLOCK +RTC +PRIVDROP +SCFILTER +SIGND +ASYNCDNS +SECHASH +IPV6 -DEBUG)
2020-06-08T08:19:09Z Fatal error : Could not open configuration file /etc/chrony/chrony.conf : Permission denied

Added also removal apparmor profile for ubuntu when
containerized chrony is enabled, as chrony's package
is not removing apparmor profile, and therefore
containerized chrony is not working.

Change-Id: Icf3bbae38b9f5630b69d5c8cf6a8bee11786a836
Closes-Bug: #1882513
2020-06-15 13:06:36 +02:00
Radosław Piliszek
7bd8805004 Fix Grafana datasource update
Grafana changed the error message wording.
Match on the shortest sane string to play it safe.

Change-Id: Ic175ebdb1da6ef66047309ff07bcbba98fc67008
Closes-Bug: #1881890
2020-06-15 11:34:30 +02:00
wu.chunyang
40096b4868 fix deploy nova failed when use kolla_dev_mod
There's a logic error here, we call nova role from nova.yml file
under ansible folder. we should clone code before run
bootstrap_service task. if not, /opt/stack/nova which is empty
will mount to nova_api container.

Change-Id: Icc54c15080db9c2dc92709480e00b990e5a88662
2020-06-15 01:45:23 +00:00
Zuul
4cb4481802 Merge "Support custom elasticsearch configuration files" 2020-06-11 09:19:15 +00:00
Zuul
f73f3e6d04 Merge "Add missing become to some VMWare tasks" 2020-06-10 18:30:03 +00:00
Christian Berendt
da64a36bc2 Support custom elasticsearch configuration files
Change-Id: Id43627c6b6d305d0efbdd27ac5a2efbd5bee9107
2020-06-10 14:50:25 +00:00
Zuul
4d84df8d7c Merge "Support customizing skydive.conf file" 2020-06-10 10:37:18 +00:00
Erol Guzoğlu
cb0715a04d Support customizing skydive.conf file
Provides mechanism to deploy custom skydive.conf files.

Change-Id: I3033b6268a2e955f3e86b1b7000db17c1bb18c47
2020-06-10 07:11:54 +00:00
Christian Berendt
60e03d7bf3 Remove XenAPI integration
Change-Id: Iea3f4f3d2e5c6040c1e0bc7bfae8719cc7d8ac55
2020-06-09 13:56:17 +02:00
Zuul
a64b4395d2 Merge "Switch to newer openstackdocstheme and reno versions" 2020-06-07 16:16:27 +00:00
jacky06
c4cee86581 Switch to newer openstackdocstheme and reno versions
Switch to openstackdocstheme 2.2.1 and reno 3.1.0 versions. Using
these versions will allow especially:
* Linking from HTML to PDF document
* Allow parallel building of documents

Update Sphinx version as well.

Remove docs requirements from lower-constraints, they are not needed
during install or test but only for docs building.

openstackdocstheme renames some variables, so follow the renames
before the next release removes them. A couple of variables are also
not needed anymore, remove them.

Set openstackdocs_pdf_link to link to PDF file. Note that
the link to the published document only works on docs.openstack.org
where the PDF file is placed in the top-level html directory. The
site-preview places the PDF in a pdf directory.

Set openstackdocs_auto_name to use 'project' as name.

Co-Authored-By: Andreas Jaeger <aj@suse.com>
Change-Id: If23546ac4cc2c19626e05b460651b61d5e82d948
2020-06-06 15:29:04 +02:00
x191859
640bbc38ab Add missing become to some VMWare tasks
Fixed on ``Copying VMware vCenter CA file`` and ``Copying over nsx.ini``.

Change-Id: If909f59e7e4b241594c6b2567784ecad23e74226
Closes-Bug: #1882252
2020-06-05 16:53:27 +00:00
Zuul
cb156b9235 Merge "Use api_interface as migration_interface default value" 2020-06-04 12:11:23 +00:00